Danish security firm Secunia specializes in vulnerability management, at all levels. You may have used their Secunia Personal Software Inspector 3.0 to find and fix unpatched vulnerabilities on your home or small office computer. The corresponding Corporate Software Inspector does the same for an entire organization, with a central management console. Telemetry from these tools and other sources of Web intelligence gives Secunia a unique view into the world of vulnerabilities. The 2013 Secunia Vulnerability Review summarizes those insights and offers a few surprises.

Third-party Products Take a Hit Nobody will be surprised to learn that the total number of known vulnerabilities is growing year over year, or that most rely on a remote network attack to penetrate vulnerable networks. However, significant flaws in Microsoft Operating Systems and programs are becoming a smaller and smaller portion of the total. Secunia reports that 86 percent of active vulnerabilities in 2012 affected third-party products such as Java, Flash and Adobe Reader. In 2007, third-party vulnerabilities made up less than 60 percent of the total.

On the plus side, the dangerous window between discovery of a vulnerability and creation of a patch is getting smaller. Secunia reports same-day patch availability for 80 percent of these threats in 2012, up from a bit over 60 percent in 2007. That does leave 20 percent that don't have a patch the same day, or even within 30 days, but keeping all your software updated will ensure you do get all those same-day patches.

SCADA InsecurityThe 2013 review reports on vulnerabilities in SCADA (Supervisory Control And Data Acquisition) systems. These systems control factories, power plants, nuclear reactors, and other highly significant industrial installations. The infamous Stuxnet worm destroyed uranium enrichment centrifuges in Iran by taking over their SCADA controllers.

According to Secunia, "SCADA software today is at the stage mainstream software was 10 years ago... Many vulnerabilities remain unpatched for longer than one month in SCADA software." A time-to-patch chart of representative SCADA vulnerabilities reveals that several in the high risk category remained unpatched for over 90 days.

In theory, SCADA systems should be less vulnerable because they're not connected to the Internet. In practice, that's not always the case, and even a local network connection could be compromised by attackers. A total "air gap," with no network connection whatsoever, didn't protect the Stuxnet centrifuges. They fell victim to infected USB drives unknowingly inserted by technicians. Clearly SCADA software vendors have some work to do as far as maintaining security and pushing out patches.

Hackers Go for the GoldA zero-day vulnerability is one that's just been discovered, a vulnerability for which no patch exists. Secunia's report includes an informative chart that reports the number of zero-days found each year in the top 25 most popular programs, and in the top 50, 100, 200, and 400. The overall numbers differ year over year, peaking in 2011 with 15 zero-days.

What's more interesting is that within a given year, the numbers hardly change as the pool of potentially-compromised programs grows. Almost all of the zero-days affect the most popular programs. That actually makes a lot of sense. Discovering a program flaw that nobody else has ever found requires a lot of research and hard work. It only makes sense for hackers to concentrate on the most widely-distributed programs. An exploit that takes total control over the victim's system isn't worth a lot if only one system in a million has the vulnerable program installed.

More to LearnI've hit the high spots, but there's a lot more to learn from Secunia's vulnerability report. You can download the entire report from Secunia's website. If the full report seems a bit overwhelming, don't worry. Secunia's researchers have also prepared an infographic that hits all the high spots.

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service

//Stay Connected

Get Product Reviews, Deals, & the Latest News from PCMag

sign up

Plus, get a free copy of PCMag for your iPhone or iPad today.

Offer valid for new PCMag app downloads only. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy.

THANK YOU FOR SUBSCRIBING!

Please follow this link (or search for the PC Magazine app on your iPad or iPhone) to get your free issue. Offer valid for new app downloads.

//Featured Programs

//our current issue

Select Term:

24 issues for $29.99 ONLY $1.25 an issue! Lock in Your Savings!

12 issues for $19.99ONLY $1.67 an issue!

State

Country

This transaction is secure

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service